{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/audit-tampering/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","audit-tampering","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers, including Red Teams, may attempt to disable or clear Windows audit policies to evade detection and prevent security analysts from identifying malicious activity. This involves using the \u003ccode\u003eauditpol.exe\u003c/code\u003e utility with the \u003ccode\u003e/clear\u003c/code\u003e or \u003ccode\u003e/remove\u003c/code\u003e command-line arguments, effectively erasing existing audit configurations. This action eliminates crucial data points that security teams rely on for detecting and responding to threats. By clearing audit policies, adversaries can operate with a reduced risk of being detected, potentially allowing for prolonged access and further exploitation of compromised systems. The activity is significant as it indicates a deliberate attempt to subvert security measures and gain an advantage within the targeted environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to an account with sufficient permissions to modify audit policies.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eauditpol.exe\u003c/code\u003e with the \u003ccode\u003e/clear\u003c/code\u003e or \u003ccode\u003e/remove\u003c/code\u003e command-line argument.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eauditpol.exe\u003c/code\u003e process modifies the system\u0026rsquo;s audit policy settings.\u003c/li\u003e\n\u003cli\u003eWindows event logging is disabled or significantly reduced due to the cleared audit policy.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities without generating standard audit logs.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network to compromise additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eClearing the Windows audit policy can have a severe impact on an organization\u0026rsquo;s security posture. The lack of audit logs hinders incident response efforts, making it difficult to investigate security incidents and identify compromised systems. Attackers can move laterally, steal sensitive data, or deploy ransomware without triggering standard alerts. This can result in significant financial losses, reputational damage, and regulatory penalties. In some instances, attackers might clear audit policies as a precursor to a larger attack campaign, such as the Solorigate supply chain attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Auditpol Clear Command\u003c/code\u003e to your SIEM to identify instances of \u003ccode\u003eauditpol.exe\u003c/code\u003e being used to clear audit policies.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the execution of \u003ccode\u003eauditpol.exe\u003c/code\u003e with command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Event Log Security events (4688) for process creation events related to \u003ccode\u003eauditpol.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003eauditpol.exe\u003c/code\u003e is executed with the \u003ccode\u003e/clear\u003c/code\u003e or \u003ccode\u003e/remove\u003c/code\u003e arguments, as this could indicate malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the number of accounts that can modify audit policies.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Auditpol Remove Command\u003c/code\u003e to detect \u003ccode\u003eauditpol.exe\u003c/code\u003e executions with \u003ccode\u003e/remove\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-auditpol-clear/","summary":"The execution of `auditpol.exe` with the `/clear` or `/remove` command-line arguments indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits, potentially leading to full machine compromise or lateral movement.","title":"Windows Audit Policy Cleared via Auditpol","url":"https://feed.craftedsignal.io/briefs/2024-01-auditpol-clear/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["vmware","esxi","audit-tampering","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eThis detection identifies attempts to tamper with audit records on VMware ESXi hosts. Attackers with administrative privileges on an ESXi host can use the \u003ccode\u003eesxcli system auditrecords\u003c/code\u003e command to modify or delete audit logs. This can be done either remotely or locally on the host, and is indicative of an attacker attempting to cover their tracks, evade detection, and hinder subsequent forensic investigations. Successfully tampering with audit logs allows malicious actors to operate undetected within the environment, potentially leading to long-term compromise and data exfiltration. This activity is particularly relevant in cases involving ransomware, such as Black Basta, where attackers may attempt to erase evidence of their lateral movement and payload deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with privileges to access the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ESXi host, either locally or remotely, likely using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eesxcli system auditrecords\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe command is used with parameters to modify existing audit records, such as deleting entries or changing timestamps.\u003c/li\u003e\n\u003cli\u003eThe attacker may target specific log entries related to their activities to erase evidence.\u003c/li\u003e\n\u003cli\u003eAfter tampering, the attacker continues their malicious activities (e.g., lateral movement, data exfiltration, or ransomware deployment) with reduced risk of detection.\u003c/li\u003e\n\u003cli\u003eThe absence of relevant audit logs impairs incident response and forensic analysis efforts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering of ESXi audit records can severely hinder incident response and forensic analysis. Without accurate logs, security teams will struggle to determine the scope and timeline of an attack. In environments affected by ransomware like Black Basta, this can lead to delayed containment and increased data loss. The blurring of the attack timeline prevents recovery and remediation efforts. While there are no victim statistics available for this specific technique, the impact on affected organizations can be significant, resulting in financial losses, reputational damage, and regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Syslog on all ESXi hosts and forward logs to a centralized logging server to ensure logs are captured and retained even if local logs are tampered with.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;ESXi Audit Tampering Detection\u0026rdquo; to your SIEM to detect the usage of \u003ccode\u003eesxcli system auditrecords\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the source and destination of the command execution.\u003c/li\u003e\n\u003cli\u003eMonitor the risk score associated with the impacted systems using the \u003ccode\u003erisk_objects\u003c/code\u003e field in the report.\u003c/li\u003e\n\u003cli\u003eReview access controls and privileges assigned to ESXi hosts to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-esxi-audit-tampering/","summary":"Detection identifies the use of the esxcli system auditrecords commands to tamper with logging on an ESXi host, potentially evading detection and hindering forensic analysis.","title":"ESXi Audit Tampering Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-audit-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed — Audit-Tampering","version":"https://jsonfeed.org/version/1.1"}